Securing personal information of users and organizations is of paramount concern in today's highly connected society. More frequently, transactions that would typically be performed manually or in person are occurring over electronic networks with near instantaneous speed. These transactions are healthy for a twenty-first century economy, since the physical locations of the participants and the time of these transactions become of little import. As a result, the electronic transactions have made world economies more diverse (inclusive), more efficient and arguably they have increased the quality of life for the participants.
Unfortunately, this transformation of the world economy is not without problems. For example, in order to ensure the authenticity of any particular transaction, participants are often required to provide confidential information during the transaction in order to uniquely identity themselves. As a result, a wealth of confidential information about participants is continuously electronically collected, stored, and transmitted over electronic networks. Moreover, each time such information is electronically accessed or transmitted in some manner it becomes vulnerable to potential malicious interception. In other words, each time the confidential information is electronically needed for a transaction that confidential information may be potentially compromised in some manner. As another example, the confidential information can also be compromised at a vendor's storage location. This may occur as a result of either intentional or unintentional conduct on the part of the vendor.
Further, if malicious interception or access occurs, then the identity of a participant can be altered or used electronically to perform bogus transactions. For example, if a credit card number is intercepted along with its expiration date, then the interceptor can purchase items over the Internet pretending to be the credit card debtor. Still further, if a Social Security Number (SSN) is intercepted, the interceptor can use the SSN to apply for credit in the name of the person associated with the SSN, or electronically access that person's bank accounts. The potential for misusing confidential information is nearly infinite.
Not surprisingly, organizations that perform electronic transactions have developed a variety of techniques to control electronic access and transmission of confidential information. One popular technique is to house the confidential information in a protected data store and only permit authorized electronic applications to access the data store. Thus, a participant to a transaction authenticates to an authorized application and then, that application accesses the confidential information in the protected data store on behalf of the participant.
However, these conventional techniques assume that the authorized application has not itself been malicious tampered with or that the authorized application is not acting on behalf of a bogus participant. Moreover, most conventional techniques will interface an authorized application to another access application. This other access application has direct access to the confidential information residing in the protected data store. Furthermore, the access application is generally not restricted in terms of what operations it may perform against the protected data store. Therefore, once a malicious user of an authorized application discovers that an access application has unfettered access to the protected data store; instructions can be issued within the authorized application to perform unauthorized transactions against the protected data store by maliciously using the unfettered access rights of the access application.
Thus, improved techniques for accessing confidential information are needed.